Kafka Topic Data Access Authorization

A major financial institution processes loan applications sent by authorized mortgage brokers and banks using a Kafka-based pipeline. In this system, each bank originating a loan application has a dedicated Kafka topic. The applications might pass through several intermediate banks, each reading the application from one topic and updating it before writing to another. The institution employs Zookeeper ACLs to manage access, determining which banks can read or write to specific topics.

Caption for Kafka Topic Data Access Authorization

Problem

Issues have arisen where banks mistakenly write loan applications to incorrect topics, acting as if they were the original loan initiator rather than an intermediate handler. This leads to the final loan application being sent to the wrong bank. The authorization process, focusing only on the bank and topic name, overlooks the actual data content. The director of application security expressed frustration, noting a greater understanding of the banks accessing their APIs than the actual data shared.

Solution

By "tagging" the data from banks when they first write to a topic, Caber CA/CO tracks these unique data patterns in the loan documents, even as intermediate banks modify them. If a bank wrongly submits an application claiming to be the originator, Caber identifies this as a security risk. It then provides a detailed trail of the data's journey through the system. This enables the financial institution's security team to efficiently investigate and resolve such incidents.

Third-Party API Misuse

CompanyC is a SaaS business offering a platform for companies to manage their balance sheets. They have utilized Business Intelligence (BI) tools to analyze customer data, complying with their privacy policy. With recent advancements in AI, more third-party BI tools have become available. CompanyC has incorporated several of these tools, updating their privacy policy to include the data access these tools require.

Caption for Third-Party API Misuse

Problem

Updating the privacy policy doesn't automatically mean all customers consent to it, as pointed out by CompanyC's Head of Privacy Compliance. They needed a method to ensure data is only shared with tools permitted under the specific privacy policy agreed to by each customer.

Solution

Caber CA/CO addresses this by monitoring API traffic through a gateway plugin. It can track data back to its source, identifying which customers' data is being shared. Caber's features, like custom SQL queries and access policy management, enable it to check if any data shared with a BI tool belongs to a customer who hasn't agreed to the required version of the privacy policy.

Continuous Compliance Monitoring

A consumer genomics company that provides DNA testing services takes HIPAA compliance very seriously, employing a robust technology stack to secure their APIs. This stack includes systems like Alation and Immuta, specifically used for classifying Personal Health Information (PHI) data and monitoring its access.

Caption for Continuous Compliance Monitoring

Problem

Despite having effective classification and access controls for PHI data at rest, recent compliance audits have highlighted a problem. PHI data transferred via internal APIs sometimes ends up in unauthorized areas. This issue stems from the fact that these systems were developed by various teams at different times, lacking a consistent method for tracking the classification or origin of the data in transit.

Solution

Caber CA/CO offers a solution to this challenge. It can trace the journey of data within their internal APIs back to its original sources. After identifying the source, Caber makes a custom API call to the company's Alation system to determine the data's classification. Then, it follows up with a second call to Immuta to verify the policy compliance. This approach ensures that the movement of PHI data within the company's internal systems adheres to strict privacy and compliance standards.

Broken API Access Control

API access control issues top the OWASP Group's Top 10 list of vulnerabilities. First American Financial Corp. faced a hefty fine of $487,616 after inadvertently exposing 885 million records containing sensitive personal and financial information. This breach occurred due to an unsecured API, accessible to anyone using a web browser without needing authentication or authorization. The data remained exposed for an astounding 16 years until security expert Brian Krebs discovered the flaw.

Caption for Broken API Access Control

Problem

There's a distinct separation between APIs handling user requests and those processing data for these requests. While individual APIs are well-secured, the real challenge lies in safeguarding interactions between front-end and back-end APIs. In modern applications, these interactions are complex, unpredictable, and constantly evolving. Service meshes might control which APIs can interact, but they fall short in monitoring the data exchanged.

Solution

Caber CA/CO is designed to trace data as it moves between APIs and services, right down to the byte level. It can identify the source, ownership, and permissions of data, even when mixed or truncated. Had Caber CA/CO been available, it would have allowed First American Financial's security team to detect and address the data exposure issue promptly.

Try Caber CA/CO For Yourself

Guided self-service demo automatically deploys into and removed from your AWS account.